Backport ClickHouse#88089 to 25.8: Add a URI normalization for the SOURCE grants filter.

Author: robot-clickhouse

docs/en/sql-reference/statements/grant.md

@@ -680,6 +680,23 @@ GRANT READ ON S3('s3://foo/.*') TO john
 GRANT READ ON S3('s3://bar/.*') TO john
 ```
 
+:::warning
+Source filter takes **regexp** as a parameter, so a grant
+`GRANT READ ON URL('http://www.google.com') TO john;`
+
+will allow queries
+```sql
+SELECT * FROM url('https://www.google.com');
+SELECT * FROM url('https://www-google.com');
+```
+
+because `.` is treated as an `Any Single Character` in the regexps. 
+This may lead to potential vulnerability. The correct grant should be
+```sql
+GRANT READ ON URL('https://www\.google\.com') TO john;
+```
+:::
+
 **Re-granting with GRANT OPTION:**
 
 If the original grant has `WITH GRANT OPTION`, it can be re-granted using `GRANT CURRENT GRANTS`:

src/TableFunctions/ITableFunction.cpp

@@ -44,7 +44,7 @@ StoragePtr ITableFunction::execute(const ASTPtr & ast_function, ContextPtr conte
         if (is_insert_query)
             type_to_check = AccessType::WRITE;
 
-        context->getAccess()->checkAccessWithFilter(type_to_check, toStringSource(*access_object), getFunctionURI());
+        context->getAccess()->checkAccessWithFilter(type_to_check, toStringSource(*access_object), getFunctionURINormalized());
     }
 
     auto table_function_properties = TableFunctionFactory::instance().tryGetProperties(getName());

src/TableFunctions/ITableFunction.h

@@ -106,13 +106,29 @@ class ITableFunction : public std::enable_shared_from_this<ITableFunction>
     /// For example for s3Cluster the database storage name is S3Cluster, and we need to check
     /// privileges as if it was S3.
     virtual const char * getNonClusteredStorageEngineName() const;
+
+protected:
     /// The URI of function for permission checking. Can be empty string if not applicable.
     /// For example for url('https://foo.bar') URI would be 'https://foo.bar'.
     virtual const String & getFunctionURI() const
     {
         static const String empty;
         return empty;
     }
+
+    String getFunctionURINormalized() const
+    {
+        try
+        {
+            Poco::URI uri(getFunctionURI());
+            uri.normalize();
+            return uri.toString();
+        }
+        catch (const Poco::Exception &)
+        {
+            return "";
+        }
+    }
 };
 
 /// Properties of table function that are independent of argument types and parameters.

src/TableFunctions/ITableFunctionXDBC.cpp

@@ -62,8 +62,6 @@ class ITableFunctionXDBC : public ITableFunction
 
     void startBridgeIfNot(ContextPtr context) const;
 
-    const String & getFunctionURI() const override { return connection_string; }
-
     String connection_string;
     String schema_name;
     String remote_table_name;

src/TableFunctions/TableFunctionURL.cpp

@@ -143,7 +143,7 @@ ColumnsDescription TableFunctionURL::getActualTableStructure(ContextPtr context,
         ColumnsDescription columns;
 
         if (const auto access_object = getSourceAccessObject())
-            context->getAccess()->checkAccessWithFilter(AccessType::READ, toStringSource(*access_object), getFunctionURI());
+            context->getAccess()->checkAccessWithFilter(AccessType::READ, toStringSource(*access_object), getFunctionURINormalized());
         if (format == "auto")
         {
             columns = StorageURL::getTableStructureAndFormatFromData(

tests/queries/0_stateless/03636_normalize_url_in_source_grants.reference

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Tags: no-fasttest
+
+CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CUR_DIR"/../shell_config.sh
+
+user="user03636_${CLICKHOUSE_DATABASE}_$RANDOM"
+
+${CLICKHOUSE_CLIENT} <<EOF
+-- Cleanup
+DROP USER IF EXISTS $user;
+CREATE USER $user;
+GRANT CREATE TEMPORARY TABLE ON *.* TO $user;
+EOF
+
+${CLICKHOUSE_CLIENT} --query "GRANT READ ON S3('http://localhost:11111/test/.*') TO $user WITH GRANT OPTION";
+
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM s3('http://localhost:11111/test/a.tsv', 'TSV') FORMAT Null;";
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM s3('http://localhost:11111/a.tsv', 'TSV') FORMAT Null; -- { serverError ACCESS_DENIED }";
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM s3('http://localhost:11111/test/../a.tsv', 'TSV') FORMAT Null; -- { serverError ACCESS_DENIED }";
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM s3('http://localhost:11111/test/%2e%2e/a.tsv', 'TSV') FORMAT Null; -- { serverError ACCESS_DENIED }";
+
+${CLICKHOUSE_CLIENT} <<EOF
+DROP USER IF EXISTS $user;
+EOF